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Chapter 1: Upgrading — OverView 



Blue Coat® strongly recommends that you read this document before attempting to upgrade to SGOS 
4.x from previous ProxySG operating systems. 

Existing features and policies might not perform as with previous versions, and upgrading to this 
version might require some additional configuration tuning. This SGOS version provides high 
security for the network, so when downgrading to previous versions, not all configurations and 
policies are retained. 

Changes Between SGOS 3.x and SGOS 4.x 

Unlike SGOS 3.x, SGOS 4.x does not permit upgrades from SGOS 2.x or CacheOS 4.x. All systems 
must be upgraded to SGOS 3.2.4 before being upgraded to SGOS 4.x. For information on the correct 
upgrade path, see Table 2.1, "Upgrade Paths" on page 7. 

If you attempt to download the next major release and you receive an error message saying that the 
download failed due to policy deprecations, your policy uses constructs that are no longer supported 
in SGOS 4.x. You must correct any policy syntax problems before upgrading.For information on 
checking on policy deprecation, see "Policy Deprecation” on page 25. 

If the upgrade path is folio wed, most of the current settings on the ProxySG are maintained atter the 
upgrade. New or transformed settings in SGOS 4.x are taken from the original settings wherever 
possible. 

About the Document Organization 

This document is organized for easy reference, and is divided into the following sections and chapters: 



Table 1.1: Document Organization 



Chapter Title 


Description 


Chapter 1 - Introdudng the Upgrade/Downgrade 
Guide 


Upgrade differences between SGOS 3.2.x and SGOS 4.x. Blue 
Coat documentation and documentation conventions are 
also discussed. 


Chapter 2 - Upgrade Behavior, General 


This chapter discusses general upgrade issues, including the 
required upgrade path and licensing. 


Chapter 3 - Upgrade Behavior, Specifics 


This chapter identifies new features in SGOS 4.x and 
discusses any upgrade /do wngrade issues. 



Related Blue Coat Documentation 

• Blue Coat 6000 and 7000 Installation Gnide 

• Blue Coat 400 Series Installation Gnide 

• Blue Coat 800 Series Installation Guide 

• Blue Coat 8000 Series Installation Guide 
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• Blue Coat ProxySG Configuration and Management Guide 

• Blue Coat ProxySG Content Policy Language Guide 

• Blue Coat ProxySG Command Line Interface Reference 

Document Conventions 

The following section lists the typographical and Command Line Interface (CLI) syn ta x conventions 
used in this manual. 



Table 1.2: Typographic Conventions 



Conventions 


Definition 


ltalics 

Courier 


font 


The first use of a new or Blue Coat-proprietary term. 
Command line text that appears on your administrator 


Courier 


ltalics 


workstation. 

A command line variable that is to be substituted with a literal 


Courier 


Boldface 


name or value pertaining to the appropriate facet of your network 
system. 

A ProxySG literal to be entered as shown. 


{ } 

[ ] 

1 




One of the parameters enclosed within the braces must be 
supplied 

An optional parameter or parameters. 

Either the parameter before or after the pipe character can or must 
be selected, but not both. 
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Upgrading 

When upgrading to SGOS 4.x from SGOS 3.2.4 or higher, the ProxySG saves a copy of the original 
configurations. These configurations remain unaffected when configuring features going forward. If 
you downgrade to the previous SGOS version, the saved configuration is used and the ProxySG is 
restored to that State. 

Following the upgrade path provided maintains most of the current settings, the exceptions being 
those features that were substantially enhanced in SGOS 4.x. 

The only supported direct upgrade is from SGOS 3.2.4 and later. CacheOS 4.x and SGOS 2.x systems 
must first be upgraded to the SGOS 3.2.4 release. The following fable provides the upgrade paths for 
these earlier version. 

Table 2.1: Upgrade Paths 



Current OS 


Direct Upgrade 
to SGOS 3.2.4? 


Next OS version 
required 


Comments 


CA 1.0.00-CA3.1.15 


No 


CA 3.1.16 




CA 3.1.16 


No 


CA 4.1.10 




CA 3.5.00-CA3.5.07 


No 


CA 3.5.08 




CA 3.5.08 


No 


CA 4.1.10 




CA 4.0.00-CA4.1.09 


No 


CA 4.1.10 




CA 4.1.10 or greater 


No 


SG 2.1.07 




CA 4.2.00 


No 


CA 4.2.01 




CA 4.2.01 or greater 


Yes 


None 


Can directly upgrade to SGOS 3.2.4 


SA 1.0.00-SA2.0.X 


No 


SA 2.0.x 




SA 2.0.x 


No 


SA 4.1.10 




SA 4.0.00-SA4.1.09 


No 


SA 4.1.10 




SA 4.1.10 or greater 


Yes 


None 


Can directly upgrade to SGOS 3.2.4. 


SG 2.0.00-SG 2.1.06 


No 


SG 2.1.07 




SG 2.1.07 or greater 


Yes 


None 


Can directly upgrade to SGOS 3.2.4. 
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CPL Notes 

In SGOS 3.2.4 or greater, deprecation warnings are issued for CPL syn ta x that is abandoned in SGOS 
4.x. Use of abandoned syntax causes CPL compiler errors, the policy will fail to install and the 
ProxySG will use the default policy of ALLOW or DENY for all traffic. Following the recommended 
upgrade process ensures that policy integrity and therefore, network security, are maintained. 

Tunneling Protocol Notes 

For SGOS 4.x, whether upgrading or a new installation, expect a 30-second delay when tunneling any 
protocol where the server spenks first. Some examples of these types of protocol are FTP, SMTP, POP3, 
and IMAP. The ProxySG currently does not support protocol detection for such protocols, so this 
delay occurs in all three types of tunnels: 

• TCP tunnel 

• SOCKS tunnel 

• HTTP CONNECT tunnel 

The workaround is to disable, as in the CPL policy shown below, protocol detection for all tunnels 
where the tunneled protocol is one in which the server speaks first. 

Note the following: 

• The destination-based condition in Rule-1 is included to avoid a security issue. 

• If the server is listening on a non-default port, add a line containing that port to the 

s e r ve r _s pe a k s_f i r s t_po r t_ 1 i s t condition. 

<Proxy> 

;Rule 1 

condition=server_speaks_f ir st_port_list condition=tunneling_protocol 
detect_protocol (none) 

; Definitions 

define condition server_speaks_first_port_list 
url . port=2 5 
url . port=l 43 
url . port=2 1 
url . port=110 
end 

define condition tunneling_protocol 
Client ,protocol=http 
Client ,protocol=tcp 
Client ,protocol=socks 
end 

If you have a configuration that uses Passive FTP through SOCKS, the policy might not avoid the 30- 
second delay because a separate DATA connection is created to transfer data, and the port used on 
this DATA connection is random. 
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You have two options: 

• Generate a white list of FTP servers that can be accessed, such as: 

<proxy> 

Client . protocol=socks condition=f tp_destination detect_protocol (none) 
define condition f tp_destination 
url.address = <IP1> 
url.address = <IP2> 
end condition 

• Implement policy in which all SOCKS tunnels do not do protocol detection, such as: 

<proxy> 

Client ,protocol=socks detect_protocol (none) 

Summary of Changes to the Upgrade Process 

• The upgrade path must include a system that shows all possible deprecation warnings, so that 
these can be corrected in advance of the upgrade, to avoid policy compilation failures atter 
upgrading. Migrating through SGOS 3.2.4 or greater satisfies this requirement. 

• If the currently installed policy issued deprecation warnings when compiled, downloads of 
systems in which that syntax has been abandoned will fail with the error " ". Which error 
message you see depends on whether you were using the Management Console or the CLI. 

From the Management Console: 

Policy deprecation warnings exist. Piease resolve them prior to upgrading to the next major release of 
system software 

From the CLI: 

WARNING: The installed policy contains deprecation warnings. Piease fix these 
warnings prior to upgrading to the next major release, or use load upgrade 
ignore-warnings at your own risk. Upgrading to the next major release with 
deprecation warnings will cause the policy compilation to fail on boot . 

This means that you cannot download major version upgrades while policy contains deprecated 
syntax. 

Generally, the deprecation warnings indicate the appropriate corrective action. See "Policy 
Deprecation" on page 25 for instructions on how to view the deprecation warnings that indicate 
the syntax to be corrected. 



Note: The Visual Policy Manager (VPM) automatically generates up-to-date CPL syntax. If the 

deprecations warnings are issued from the VPM policy file, you should start VPM and 
reload the policy to get the latest version of the generated CPL. 



You can force an upgrade while deprecation warnings are present using the CLI command load 
upgrade ignore-warnings; however, policy compilation will fail atter the upgrade and the 
ProxySG reverts to the default policy of ALLOW or DENY. Corrective action is required to restore 
normal operation. 
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• Any CPL local policy that performs operations such as ALLOW, DENY, Authenticate, or Redirect, 

or that modifies Cookie/Set-Cookie headers, might interfere with the Notify User policy. Before 
using the VPM Notify User policy, remove all coaching/ splash/notify policy from the CPL local 
policy file. 

Restoring to Previous Versions 

When upgrading from the SGOS 3.2.4 or higher release, a copy of the settings is saved prior to any 
transformations by SGOS 4.x so that the original settings are available if the ProxySG is downgraded 
to SGOS 3.2.4. 

Keep in mind that changes made after upgrade are not preserved on a downgrade. After an upgrade 
and a downgrade, the State is exactly what it was before the upgrade. 

Redoing an Upgrade from SGOS 3.2.4 

When the initial SGOS 4.x upgrade occurs, any compatible configurations are converted. This only 
happens the first time you upgrade; if you later downgrade to a pre-SGOS 4.x version by selecting an 
earlier image on your system, make configuration changes, and re-install SGOS 4.x, the new SGOS 
3.2.4 changes are not propagated to SGOS 4.x. 

To force the new systems configuration to be regenerated after changes are made to the older systems 
configuration, you will need to force the upgrade conversion to occur again. Use the 
restore-sgos3-config command, which converts the current SGOS 3.x configuration to the SGOS 
4.x configuration. 



Note: Previous force commands, restore-sgos2-config and restore-cacheos4-conf ig, are not 

available in SGOS 4.x; they can only be run from earlier versions. 



The restore-sgos3-conf ig command first checks if there are saved SGOS 3.2.4 settings on the 
ProxySG. If not, the CLI command warns the administrator and exits. 

If saved SGOS 3 settings exist, the restore-sgos3-config command warns the administrator that all 
the current SGOS 4.x settings will be lost and that a restart will be initiated, waiting for positive 
confirmation before clearing all the current SGOS 4.x settings, and then initiating a restart. The restart 
(similar to a restart regular) triggers the upgrade process, which copies over the SGOS 3 settings 
and transforms them to the SGOS 4.x settings. 

Redoing an Upgrade from SGOS 2.x or CacheOS 4.x 

To downgrade to capture changes to the older version's configuration, you must first launch the SGOS 
3.x image, then select the SGOS 2.x or CacheOS 4.x version to launch. After you make the desired 
changes, you must follow the upgrade path back to SGOS 3.2.4, using the restore-sgos2-conf ig or 
restore-cacheos4-conf ig commands. (See Table 2.1 on page 7 for information on upgrade paths.) 

The restore-sgos2-conf ig or restore-cacheos4-config command first checks if there are 
saved SGOS 2.x or CacheOS 4.x settings on the ProxySG. If not, the CLI command warns the 
administrator and exits. 
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Important: Check for deprecation warnings after upgrading to 3.2.4 and before proceeding to SGOS 

4.x. 



If saved settings exist, the command warns the administrator that all the current next version settings 
will be lost and that a restart will be initiated, waiting for positive confirmation before clearing all the 
current next version settings, and then initiates a restart. The restart (similar to a restart regular) 
triggers the upgrade process, which copies over the settings and transform them to the next version 
settings. 

Changing Between SGOS 4.x Versions 

When moving from one SGOS 4.x release to another SGOS 4.x release, the system maintains all 
settings. Changes made after an upgrade continue to be available after a subsequent downgrade as 
long as the setting is relevant to the downgraded release. 



Note: When upgrading or downgrading between versions of SGOS 4.x, copies of version-specific 

configurations are not retained. Instead, all configurations created in an upgrade are retained 
if the configuration is relevant to the downgrade version. 



Care should be taken when using policy features introduced in a minor release. These cause 
compilation errors if you fali back to a previous version of the same major release in which those 
features were unsupported. 

To prevent accidental fallbacks, you should remove unused system images (using the 

installed_systems delete number, from the (config installed-systems) prompt). 

Licensing 

In SGOS 4.x, a base license is issued for SGOS 4.x functionality, regardless of whether those features 
existed before SGOS 4.x or are new in SGOS 4.x. 

If you upgrade from SGOS 3.x with a valid SGOS 4.x component license, the ProxySG lists the licensed 
components with their expiry dates; those components that are not licensed enter a 60-day trial period. 

If you upgrade from SGOS 3.x without a valid SGOS 4.x component license, all licensable components 
enter a trial period; the ProxySG attempts to download a license from the Blue Coat license download 
site once a day for the duration of the SGOS 4.x trial period. 

There are three types of licensable components: 

• Required — The SGOS base. 

• Included — Additional features provided by Blue Coat. 

• Optional — If applicable, any additional purchased features. 

When the license key file is created, it consists of all three components. The SGOS base is a required 
component of the license key file. The following table lists the ProxySG licensable components, 
categorized by type. 
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Table 2.2: Licensable Components 



Type 


Component 


Description 


Required 


SGOS 4 Base 


The ProxySG operating system, plus base features: HTTP, FTP, TCP-Tunnel, 
SOCKS, and DNS proxy. The following additional features are also included 
in the base license: 


Included 


3rd Party Onbox 
Content Filtering 


Allows use with third-party vendor databases: Intersafe, Optenet, Proventia, 
SmartFilter, SurfControl, Websense, and Webwasher. 


Included 


Websense 
Offbox Content 
Filtering 


For Websense off-box support only. 


Included 


ICAP Services 


Extemal virus and content scanning with ICAP servers. 


Included 


Bandwidth 

Management 


Allows you to classify, Control, and, if required, limit the amount of 
bandwidth used by different classes of network traffic flowing into or out of 
the ProxySG. 


Included 


Windows Media 
Standard 


MMS proxy; no caching or splitting; content pass-through. Full policy control 
over MMS. 


Included 


Real Media 
Standard 


RTSP proxy; no caching or splitting; content pass-through. Full policy control 
over RTSP. 


Included 


Apple QuickTime 
Basic 


RTSP proxy; no caching or splitting; content pass-through. Full policy control 
over RTSP. 


Included 


Netegrity 

SiteMinder 


Allows realm initialization and user authentication to SiteMinder servers. 


Included 


Oracle COREid 


Allows realm initialization and user authentication to COREid servers. 


Included 


Peer-to-Peer 


Allows you to recognize and manage peer-to-peer P2P activity relating to P2P 
file sharing applications. 


Included 


Compression 


Allows reduction to file sizes without losing any data. 


Optional 


SSL 


SSL Termination; includes an SSL termination card to be installed on the 
appliance. 


Optional 


IM 


• AOL Instant Messaging: AIM proxy with policy support for AOL Instant 
Messenger. 

• MSN Instant Messaging: MSN proxy with policy support for MSN Instant 
Messenger. 

• Yahoo Instant Messaging: Yahoo proxy with policy support for Yahoo 
Instant Messenger. 


Optional 


Windows Media 
Premium 


• MMS proxy; content caching and splitting. 

• Full policy control over MMS. 

• When the maximum concurrent streams is reached, all further streams are 
denied and the Client receives a message. 
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Table 2.2: Licensable Components (Continued) 



Type 


Component 


Description 


Optional 


Real Media 
Premium 


• RTSP proxy; content caching and splitting. 

• Full policy control over RTSP. 

• When the maximum concurrent streams is reached, all further streams are 
denied and the Client receives a message. 



Hardware Supported 

With SGOS v4.x, support for the ProxySG Series 600 and 700 systems has been dropped. Users with 
these systems must either upgrade their hardware or stay with SGOS v3.x. Blue Coat supports the 
following hardware: 

• ProxySG Series 200 

• ProxySG Series 400 

• ProxySG Series 800 

• ProxySG Series 6000 

• ProxySG Series 7000 

• ProxySG Series 8000 

Note: If you are upgrading an existing ProxySG appliance that has already been registered with Blue 

Coat, you do not need to re-register the hardware. You can just mark the system as manually 
registered in the License Warning pane, which displays when you leave the Management 
Console home page. (You can also use the CLI to mark the hardware as registered by using the 
commands under (config) licensing. ) 

If you have a new ProxySG appliance, you must register the hardware directly online and 
then license the software. 



Documentation References 

• Chapter 2, "Licensing," in the Blue Coat ProxySG Configuration and Management Guide 

• To do an upgrade for the ProxySG through the Management Console, refer to Chapter 21, 
"Maintenance," Blue Coat ProxySG Configuration and Management Guide. 

• Blue Coat ProxySG Command Line Reference 
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This chapter provides critical information concerning how specific features are affected by upgrading 

to SGOS 4.x (and if relevant downgrading from) and provides actions administrators must or are 

recommended to take as a result of upgrading. 

This chapter contains the folio wing sections: 

• "Access Logging" — Discusses the new global enable/disable switch, the Peer-to-Peer (P2P) format 
and log, and the new substitutions. 

• "Authentication" — Discusses Policy Substitution, Oracle COREid, and RADIUS realms. 

• "Bandwidth Management" — Discusses bandwidth management features. 

• "Compression" — Discusses ProxySG behavior when using HTTP compression. 

• "Content Filtering" — Discusses downgrade behavior for new third-party vendors. 

• "CPU Monitoring” — Allows you to see the percentage of CPU being used by specific functional 
groups. 

• "Endpoint Mapper and SOCKS Compression” — Discusses Endpoint Mapper proxy and SOCKS 
compression. 

• "ICAP Patience Page" — Discusses new and changed commands for Patience Page settings. 

• "Policy" — Lists new VPM objects and CPL syntax, abandoned substitutions, new exception pages, 
and new object naming and UTF-8 encoding in VPM. 

• "Securing the Serial Port” — Describes the upgrade /downgrade behavior if you secure the serial 
port. 

• "SmartFilter Version 4” — The SmartFilter license key is now required if you use SmartFilter, 
version 4. 

• "SSL Key Management” — Discusses new non-interactive commands to enhance SSL key 
management available through Director. 

• "SurfControl" — A username/ password is now required if you use the new SurfControl database. 



Note: If a topic is not discussed, it means no upgrade or downgrade issues exist for that feature: 

for example, event logging has no changed functionality from previous versions and will 
not be discussed in this document. 



Access Logging 

Access Logging has added new features in SGOS 4.x: 

• A global enable / disable switch: See below. 

• A P2P format and log: See "Peer-to-Peer" on page 17. 

• New substitutions: See "New Access Logging Substitutions" on page 17. (For a list of deprecated 
substitutions, see Table 3.11, "Abandoned Substitution Tokens" on page 28.) 
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Global Enable/Disable Switch 

In SGOS 4.x, you can enable or disable access logging on a global basis, both through the Management 
Console (Access Logging>General>Global Settings) and the CLI. 

When logging is disabled, that setting overrides both policy and logging configuration. When access 
logging is enabled, policy settings override the access logging configuration. 



Note: Access-log uploads are not affected by the global enable / disable switch; disabling access 

logging does not disable the ability to upload existing log files. 



On new systems, by default, access logging is disabled, but certain protocols are configured to use 
specific logs. When access logging is enabled, logging begins immediately for all configured 
protocols. 

If you are upgrading your system, your existing protocol configurations are preserved and access 
logging is enabled by default so that logging will continue as previously configured. Protocols new in 
SGOS 4.x are set to have a default log of none in this case. 



Note: 


If you do not have a license for bandwidth management, access log uploads will not be 
bandwidth limited, even if they were bandwidth-limited in SGOS 3.x. 


Certain protocols now have logs assigned to them by default. The defaults can be changed. 


Note: 


Protocols are not associated with a log by default upon an upgrade. They are only associated 
with a default on new SGOS 4.x systems.: 


Table 3.' 


: Default Logs and Protocols 



Protocol 


Log 


Endpoint Mapper 


main 


FTP 


main 


HTTP/HTTPS 


main 


ICP 


none 


Instant Messaging 


im 


Peer to Peer 


p2p 


Real Media/QuickTime 


streaming 


SOCKS 


none 


TCP Tunneling 


main 


Teinet 


none 


Windows Media 


streaming 



New CLI Commands 

SGOS#(config access-log) enable 
SGOS#(config access-log) disable 

Document References 

Chapter 20, "Access Logging," in the Blue Coat ProxySG Configuration and Management Giude 
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Peer-to-Peer 

The ProxySG recognizes peer-to-peer (P2P) activity relating to P2P file sharing applications. By 
constructing policy, you can control, block, and log P2P activity and limit the bandwidth consumed by 
P2P traffic. 

Upgrade Behavior 

• A new default format and a log called p2p is created. 

• The default p2p format is associated with the p2p log. 

• If a format called p2p already exists, the format is renamed to p2p_user. Any log referencing the old 
pip format will, after the upgrade, start referencing plpjuser. If both p2p and plp_user exist prior to 
the upgrade, then format pip is renamed to plp_nserl so the new default format pip can be 
created. 

• If a log called pip already exists, a new log is not created. 

CLI Compatibility Issues 

None. 

Documentation References 

• Chapter 15, "Advanced Policy," in the Blue Coat ProxySG Configuration and Management Guide 

• Chapter 14, "VPM," in the Blue Coat ProxySG Configuration and Management Guide 

• The Blue Coat Content Policy Language Guide 

New Access Logging Substitutions 

The following substitutions can be used in access logging and policy: 



Note: The access log ignores any ELFF or custom format fields it doesn't understand. In a 

downgrade, the format still contains all the fields used in the upgraded version, but only the 
valid fields for the downgraded version display any information. 



Table 3.2: New Substitutions 



ELFF 


CPL 


Description 


x-exception-category 

-review-url 


$ (exception . category 
review url) 


Used for categorization review for certain 
Content Filtering vendors. The substitution 
contains only the categorization review URL 
which is composed of the originally requested 
URL and the standard prefix. The values are 
empty if the selected content filter provider 
does not support review messages, or if the 
provider was not consulted for categorization, 
or if the categorization process failed due to an 
error. 
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Table 3.2: New Substitutions (Continued) 



ELFF 


CPL 


Description 


x-exception-category 


$ (exception . category 


An HTML-formatted message suitable for 


-review-message 


review message) 


inclusion in an exception page. The values are 
empty if the selected content filter provider 
does not support review messages, or if the 
provider was not consulted for categorization, 
or if the categorization process failed due to an 
error. 


x-p2p-client-type 


$ (p2p. Client) 


The name of the P2P network the client 
application is connected to. In case of non-P2P 
traffic, this substitution variable does not have 
a value. 


x-cs-netbios- 


$ (netbios . computer- 


The NetBIOS name of the computer. This is an 


computer- name 


name) 


empty string if the query fails or the name is 
not reported. 


x-cs-netbios- 


$ (netbios . computer- 


The name of the domain to which the 


computer-domain 


domain) 


computer belongs. This is an empty string if 
the query fails or the name is not reported. 


x-cs-netbios- 


$ (netbios .messenger- 


The name of the logged-in user. This is an 


mes senger -user name 


username ) 


empty string if the query fails or the name is 
not reported. It is also empty if there is more 
than one logged-in user. 


x-cs-netbios- 


$ (netbios .messenger- 


A comma-separated list of the all the 


mes senger -user name s 


usernames) 


messenger usernames reported by the target 
computer. This is an empty string if the query 
fails, or no names are reported. 


x-cs-socks- 

compression 




Compresses data on the client connection. 


x-sr-socks- 

compression 




Compresses data on the server connection. 


x- vi rus -det ail s 


$ (icap virus details) 


Details of a virus if one was detected. 


x-icap-error-code 


$ (icap error code) 


ICAP error code. 


x- i cap- er ror- det ail s 


$ (icap error details) 


ICAP error details. 


cs (Content-Encoding) 


$ (request . header . 


Client Response header: Content-Encoding. 




Content-Encoding) 


This substitution allows you to monitor the 
effect of the new HTTP compression features. 


rs (Accept-Encoding) 


$ (response. header. 


Server Request header: Accept-Encoding 




Accept-Encoding) 


This substitution allows you to monitor the 
effect of the new HTTP compression features. 



A new substitution modifier — label(N) — has been added. It is used in conjunction with the 
Client .host substitution variable in defining Policy Substitution Realms. For example, 

$ (client . host : label (2 ) ) could be used in the definition of a Policy Substitution Realm to set the 
user name from the results of a reverse DNS Lookup. For more information on the : label ( ) 
modifier, refer to Appendix D "Substitutions," in the Blue Coat Content Policy Language Guide. 
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Authentication 

Two new realms — policy substitution and Oracle COREid — have been added in SGOS 4.x. 

• COREid Realm — The ProxySG can be configured to consult an Oracle COREid (formerly known 
as Oblix NetPoint) Access Server for authentication and session management decisions. This 
requires that a COREid realm be configured on the ProxySG and policy written to use that realm 
for authentication. 

• Policy Substitution Realm — A Policy Substitution realm provides a mechanism for identifying and 
authorizing users based on information in the request. The realm uses information in the request 
and about the client to identify the user. The realm is configured to construct user identity 
information by using policy substitutions. See Table 3.2 on page 17 for useful substitutions added 
in support of this feature. 

In addition, RADIUS realms now support one-time passwords, and Netegrity realms now allow you 
to enable or disable client IP validation. 

Upgrade Behavior 

COREid and Policy Substitution realms: These new realms have no upgrade issues. On a downgrade, 
the realms will not be recognized and could cause policy compilation to fail if they are referenced by 
policy. 

Netegrity: On an upgrade, the new realm option for client IP validation is added to existing realms 
with the default value of enabled so that the behavior remains as it was. On a downgrade, the value 
is ignored and all SiteMinder realms do client IP validation. 

Administrator Actions 

You must upgrade to the latest version of the Blue Coat Authorization and Authentication Agent 
(BCAAA) before you can use the new COREid realm. 

Documentation References 

• Chapter 9, "Using Authentication Services," in the Blue Coat ProxySG Configuration and 
Management Guide 

Bandwidth Management 

Bandwidth management allows you to classify, Control, and, if required, limit the amount of 
bandwidth used by different classes of network traffic flowing into or out of the ProxySG. Network 
resource sharing (or link sharing) is done using a bandwidth-management hierarchy where multiple 
traffic classes share available bandwidth in a controlled manner. 

Bandwidth management provides the folio wing features: 

• Guarantees that certain traffic classes receive a specified minimum amount of available 
bandwidth. 

• Limits certain traffic classes to a specified maximum amount of bandwidth. 

• Prioritizes certain traffic classes to determine which classes have priority over available 
bandwidth. 
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Upgrade Behavior 

As BWM is a new feature, upgrade issues are restricted to previously existing bandwidth 
configuration that will now be subsumed into the BWM configuration. 

BWM does not replace the older bandwidth limiting features currently available in Streaming (max 
streaming, max Real and max MMS). It complements it. 

BWM replaces the bandwidth-limiting configuration in Access Logging. Related BWM classes are 
automatically created based on the older Access Log bandwidth configuration and placed under the 
class "access- log- logname,” where logname is the name of the log. 

Downgrade Behavior 

It downgraded, the access log behaves as previously configured. 

Documentation References 

Chapter 10, "Bandwidth Management," in the Blue Coat ProxySG Configuration and Management Guide. 

Blue Coat Web Filter Database Updates 

Blue Coat changed the URL for access to Blue Coat Web Filter (BCWF) database updates to 
list.bluecoat.com/bcwf/activity/download/bcwf.db. (The old URL was 
bluecoat.downloads.cerberian.com/ dbupdates/bluecoat.db.) 

It you are upgrading from SGOS 3.2.2.x to SGOS 3.2.4.x and were using the old URL, you must change 
the URL to the currently supported location. 

You can use the Management Console or the CLI to enter the correct URL. 

• It using the Management Console, go to Configuration>Content Filtering>Blue Coat. Then click the Set 
to default button. 

• It using the CLI, enter the following commands from the (config) prompt: 

SGOS# (config) content-f ilter 

SGOS# (config content-filter ) bluecoat 
SGOS# (config bluecoat) download uri default 

To view the results: 

SGOS# (config bluecoat) view 

Documentation Reference 

Chapter 18, "Content Filtering," in the Blue Coat ProxySG Configuration and Management Guide. 
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Compression 

In SGOS 4.x, Blue Coat offers both HTTP compression and SOCKS compression. 

• HTTP Compression is an algorithm that reduces a file size but does not lose any data. When you 
use compression depends upon three resources: server-side bandwidth, client-side bandwidth, 
and ProxySG CPU. If server-side bandwidth is more expensive in your environment than CPU, 
then you should always request compressed content from the origin con tent server (OCS). 
However, if CPU is comparatively expensive, the ProxySG should instead be configured to ask the 
OCS for the same HTTP compressions that the client asked for and to forward whatever the server 
returns. 

The default configuration assumes that CPU is costlier than bandwidth. If this is not the case, you 
can change the ProxySG behavior. 

• SOCKS compression is supported for TCP /IP tunnels, which can compress the data transferred 
between the branch (downstream proxy) and main office (upstream proxy), reducing bandwidth 
consumption and improving latency. 

When SOCKS compression is used in conjunction with the new Blue Coat Endpoint Mapper 
(EPMapper) proxy, the Endpoint Mapper proxy accelerates Microsoft RPC traffic (applications 
that use dynamic port numbers) between branch and main offices, automatically creating TCP 
tunnels to ports where RPC services are running. 

Upgrade Behavior 

Prior to SGOS 4.x, the HTTP proxy did not cache objects if the server sent compressed content. With 
HTTP compression and variant object support, objects are now cached regardless of its encoding (if all 
other conditions allows caching). 

With variant object support, multiple copies of the same object (variants) might exist in the cache, and 
that might affect object carrying capacity of the disk. 

On-box compression and decompression can significantly affect CPU and RAM usage. This will 
directly affect the capacity of the box. 

On an upgrade, cached HTTP objects are usable. On a downgrade, cached HTTP objects fetched atter 
the upgrade are re-fetched. 

Documentation References 

• Chapter 6, "Configuring Proxies," in the Blue Coat ProxySG Configuration and Management Guide 

• The Blue Coat Content Policy Language Guide 

Content Filtering 

• Cerberian content filtering has changed its name to Blue Coat Web Filter (BCWF). No upgrade 
issues exist. On a downgrade, the vendor none is selected instead of any unsupported choice. 



Note: During the 60-day SGOS trial period, no username or password is required to use Blue 

Coat Web Filter. For more information, refer to "Configuring Blue Coat Web Filter" in 
Chapter 18 of the Blue Coat ProxySG Configuration and Management Guide. 
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The Blue Coat Web Filter database download URL has changed from SGOS 3.2.2.x to SGOS 
3.2.4.x. For more information, see "Blue Coat Web Filter Database Updates". 

• Three new content filtering third-party vendors — InterSafe, Optenet, and Webwasher — have 
been added in SGOS 4.x. These new vendors cause no upgrade issues. On a downgrade, the 
vendor none is selected instead of any unsupported choice. 

• The Websense log protocol changed from version 1 to version 3 in SGOS 3.2.x. 

Documentation References 

Chapter 18, "Content Filtering," in the Blue Coat ProxySG Configuration and Management Gidde 

CPU Monitoring 

You can enable CPU monitoring whenever you want to see the percentage of CPU being used by 
specific functional groups. CPU monitoring is disabled by default. 

You can also view CPU monitoring statistics through Statistics>Advanced>Diagnostics. 

CLI Commands 

The following commands allow you to enable and manage CPU monitoring: 

Table 3.3: New CLI Commands for CPU Monitor 



Command 


Description 


SGOS# (config diagnostics) cpu-monitor 
{enable | disable} 


Enables or disables the CPU monitor. 


SGOS# (config diagnostics) cpu-monitor 
interval seconds 


Sets the interval between CPU monitoring. 


SGOS# (config diagnostics) view cpu-monitor 


View CPU monitor statistics. 



Documentation References 

Appendix E, "Diagnostics," in the Blue Coat ProxySG Configuration and Management Guide. 

Endpoint Mapper and SOCKS Compression 

The Endpoint Mapper proxy accelerates Microsoft RPC traffic between branch and main offices, 
automatically creating TCP tunnels to ports where RPC services are running. The Endpoint Mapper 
proxy can be used in both explicit and transparent mode. 

Using SOCKS compression for TCP/IP tunnels reduces bandwidth consumption and improves 
latency. 

No configuration is required on the main office ProxySG to support SOCKS compression. Flowever, 
configuration is required on the branch ProxySG to forward data through the SOCKS gateway. You 
can use policy or the socks-gateway CLI options to enable SOCKS compression globally. Using 
policy, you can enable or disable compression on a per-connection basis on either the client side or the 
server side. 

You must also configure the branch ProxySG for the Endpoint Mapper proxy. 
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Upgrade/Downgrade Behavior 

• On new or upgraded systems, compression on the SOCKS proxy is enabled by default. SOCKS 
compression is disabled by default on the SOCKS forwarding host. 

• On new or upgraded systems, the Endpoint Mapper proxy service is created, but not enabled, on 
port 135. 

• If you downgrade the main office ProxySG but not the branch ProxySG, the branch office might 
still attempt compression, but compression will fail. 

• On an upgraded system, the SOCKS proxy settings and policy is unchanged from the 
downgraded version. 

Documentation References 

• Chapter 5, "Managing Port Services," in the Blue Coat ProxySG Configuration and Management Guide 

• Chapter 6, "Configuring Proxies," in the Blue Coat ProxySG Configuration and Management Guide 

ICAP Patience Page 

Patience pages display regardless of any pop-up blocking policy that is in effect. 

CLI Changes and Additions 

The following CLI commands have been modified: 

Table 3.4: Changed CLI Syntax 



Abandoned Syntax 


Current Syntax 


inline http icap-patience-details eof 


inline http icap-patience details eof 


inline http icap-patience-header eof 


inline http icap-patience header eof 


inline http icap-patience-help eof 


inline http icap-patience help eof 


inline http icap-patience-summary eof 


inline http icap-patience summary eof 



New commands created to view Patience Page settings are: 

• SGOS#(config external-services) view http icap-patience details 

• SGOS#(config external-services) view http icap-patience header 

• SGOS#(config external-services) view http icap-patience help 

• SGOS#(config external-services) view http icap-patience summary 

Documentation References 

Chapter 11, "External Services," in the Blue Coat ProxySG Configuration and Management Guide 
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Policy 

In SGOS 4.x, the following properties and objects have been added: 

• Actions and Properties (Action objects) 

O category.dynamic.mode (used with dynamic categorization in VPM) 

O detect_protocol (not available in VPM) 

O force_protocol (not available in VPM) 

O http.allow_compression (used with client compression in VPM) 

O http.allow_decompression (used with client compression in VPM) 

O http. client. allow_encoding (not available in VPM) 

O http.server.accept_encoding (used with server compression in VPM) 

□ http.server.accept_encoding.allow_unknown (used with server compression in VPM) 

O limitjbandwidth (used with bandwidth management in VPM) 

O Notify User object (not available in CPL) 

O SOCKS.allow_compression (Used with SOCKS compression in VPM) 
o SOCKS. gateway.request_compression (Used with SOCKS compression in VPM) 

• Conditions (Source objects) 

o http.connect (not available in VPM) 
o p2p. client (used with P2P client object in VPM) 

• Properties (Service objects) 

o icap_error_code (used with ICAP in VPM) 

□ virus_detected (used with ICAP in VPM) 

In addition, the following conditions can now be used in the <Forward> layer: 

• attribute.<name>= 

• authenticated= 

• group= 

• realm= 

• user= 

• user.domain= 

• user.x509.issuer= 

• user.x509.serialNumber= 

• user.x509.subject= 

The authenticated= condition can be used to test whether or not the user information is available. 
Forward layer rules containing the other new authentication conditions will fail to match if there is no 
associated user, regardless of the value specified in the test. 
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Two new named definitions have been added — define policy and define strong. (A named definition 
is one that is explicitly referenced by policy) Since a copy of the files of the original operating system 
version has been saved, later-version changes, such as new named definitions, are not available in the 
downgrade. 

Policy Deprecation 

Syntax that was deprecated in SGOS 3.2.4 has been abandoned in SGOS 4.x, and this syntax must be 
corrected before an upgrade can be successfully completed. For information on replacement syntax, 
see "CPL", below. 

To check for policy deprecation warnings: 

• In the Management Console: 

Configuration > Policy > Policy Files 

From the View File:dropdown list, select Results of Policy Load, and press View. 

-or- 

Statistics>Advanced>Policy>Results of policy load 

• From a browser: 

https: / / ProxvSG IP:port / policy_import_listing.html 

• At the CLI command prompt: 

SGOS >show policy listing 

To check for deprecation warnings in exception pages: 

• In the Management Console: 

Configuration > Policy > Exceptions 

From the View File:dropdown list, select Results of Exceptions Load, and press View 
-or- 

Statistics>Advanced>Exceptions>View last installation status 

• From a browser: 

https: / /ProxvSG IP:port/exceptions listing.html 



Note: You cannot check for warnings in exception pages through the CLI. 



Documentation References 

• Chapter 14, "VPM," in the Blue Coat ProxySG Configuration and Management Gnide 

• The Blue Coat Content Policy Language Guide 



CPL 

Syntax that was deprecated in SGOS 3.x has been abandoned in SGOS 4.x. Policy that includes 
abandoned syntax should be corrected before you attempt to upgrade the system. The standard 
upgrade path and process are designed to ensure the integrity of policy and the security of your 
network. Blue Coat strongly recommends that you follow the approved upgrade path and correct any 
policy deprecation warnings prior to upgrading to SGOS 4.x. 
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Policy that has been abandoned is listed in the tables below. 
Table 3.5: Abandoned Definition Syntax 



Abandoned Syntax 


Replacement Syntax 


define acl 


define subnet 


define actions 


None. Actions can be defined anywhere in the policy . 


domain (as a condition definition type) 


url . domain 


prefix (as a condition definition type) 


url 


caseless 


None. All response-side URL rewrites are now case 
insensitive by default. 


subst embedded 

(in a url rewrite transform definition) 


rewrite url substring 


subst prefix 

(in a url rewrite transform definition) 


rewrite url prefix 



Table 3.6: Abandoned Section Syntax 



Abandoned Syntax 


Replacement Syntax 


[Domain] section heading 


[url . domain] 


[Domain-Suf fix] section heading 


[url . domain] 


[Prefix] section heading 


[url] 


[Regex] section heading 


[url . regex] 


[Regular-expression] section heading 


[url . regex] 



Table 3.7: Abandoned Substitution Syntax 



Abandoned Syntax 


Replacement Syntax 




' (l) 


$ (l) 


' l 


$ (l) 


$l 


$ (l) 


Table 3.8: Abandoned Policy Conditions 




Abandoned Syntax 


Replacement Syntax 


acl= 


Client . address= 


category . unavailable= 


category=unavailable 


Client address= 


Client . address= 


Client protocol= 


Client ,protocol= 


method= (in <admin> layers) 


admin . access=READ | WRITE 


method= 


See Method Tests 


protocol= 


url . scheme= 


proxy address= 


proxy. address 


proxy card= 


proxy. card 


proxy port= 


proxy . port 


release id= 


release . id= 


release version= 


release . version= 


request header . <name>= 


request . header . <name>= 
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Table 3.8: Abandoned Policy Conditions (Continued) (Continued) 



request header address . <name>= 


request . header . <name> . address= 


request x header . <name>= 


request. x header . <name>= 


request x header address . <name>= 


request. x header . <name> . address= 


response header . <name>= 


response . header . <name>= 


response x header . <name>= 


response. x header . <name>= 


url address= 


url . address= 


url domain= 


url . domain= 


url extension= 


url . extension= 


url host= 


url . host= 


url host is numeric= 


url. host. is numeric= 


url host no name= 


url.host.no name= 


url host regex= 


url . host . regex= 


url host suffix= 


url . host . suf fix= 


url path= 


url . path= 


url path regex= 


url . path . regex= 


url port= 


url . port= 


url prefix= 


url= 


url query regex= 


url . query. regex= 


url regex= 


url . regex= 


url scheme= 


url . scheme= 


user domain= 


user . domain= 


virus pattern update url= 


None. All supported ICAP versions provide automatic 
notification of pattern file updates. 



Table 3.9: Abandoned Policy Properties 



Abandoned Syntax 


Replacement Syntax 


property=value syntax 


property (value) 


authenticate ( ) (in cache layer) 


Move to proxy layer 


authenticate ([, display realm] ) 


the optional "display _realm" property value is abandoned 
in favor of specification in the realm configuration. 


block categoryO 


category= in conjunction with exception() 


content filter override ( ) 


request . filter servicet) 


label () 


action ( ) 


max bitrate (0) 


max bitrate (no) 


prefetch ( ) 


pipeline ( ) 


proxy authentication ( ) 


authenticate ( ) 


reflect vip ( ) 


reflect ip ( ) 


service ( ) 


allow or deny 


trace destination)) 


trace . destination ( ) 


trace level() 


trace . level ( ) 


trace request () 


trace . request ( ) 
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Table 3.9: Abandoned Policy Properties (Continued) 



trace rules () 



trace . rules ( ) 



Table 3.10: Abandoned Policy Actions 



Abandoned Syntax 


Replacement Syntax 


replace ( ) 


rewrite ( ) 


virus check ( ) 


response . icap servicet) (a property) 



Table 3.1 1 : Abandoned Substitution Tokens 



Abandoned CPL 


Current CPL 


appliance name 


appliance . name 


appliance primary address 


appliance . primary address 


Client address 


Client . address 


Client protocol 


Client . protocol 


proxy address 


proxy . address 


proxy card 


proxy . card 


proxy name 


proxy . name 


proxy port 


proxy . port 


proxy primary address 


proxy . primary address 


proxy via http version 


proxy. via http version 


release id 


release . id 


request header .Accept 


request . header . Accept 


request header . Accept-Charset 


request . header . Accept-Charset 


request header . Accept-Encoding 


request . header . Accept-Encoding 


request header . Accept-Language 


request . header . Accept-Language 


request header . Accept-Ranges 


request . header . Accept-Ranges 


request header. Age 


request . header . Age 


request header. Allow 


request . header . Allow 


request header . Authentication-Info 


request . header . Authentication-Info 


request header . Authorization 


request . header . Authorization 


request header . Cache-Control 


request . header . Cache-Control 


request header . Client-IP 


request . header .Client-IP 


request header . Connection 


request . header . Connection 


request header . Content-Encoding 


request . header . Content-Encoding 


request header . Content-Language 


request . header . Content-Language 


request header . Content-Length 


request . header . Content-Length 


request header . Content-Location 


request . header . Content-Location 


request header . Content-MD5 


request . header . Content-MD5 


request header . Content-Range 


request . header . Content-Range 


request header . Content-Type 


request . header . Content-Type 


request header . Cookie 


request .header . Cookie 


request header . Cookie2 


request .header . Cookie2 
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Table 3.11: Abandoned Substitution Tokens (Continued) 



Abandoned CPL 


Current CPL 


request header.Date 


request .header . Date 


request header.Etag 


request . header . Etag 


request header . Expect 


request . header . Expect 


request header . Expires 


request . header . Expires 


request header. From 


request . header . From 


request header . Front-End-HTTPS 


request . header . Front-End-HTTPS 


request header. Host 


request .header. Host 


request header . I f-Match 


request . header . I f-Match 


request header . I f-Modified-Since 


request . header . I f-Modified-Since 


request header . I f-None-Match 


request . header . I f-None-Match 


request header . I f-Range 


request . header . I f-Range 


request header . I f-Unmodif ied-Since 


request . header . I f-Unmodif ied-Since 


request header . Last-Modified 


request . header . Last-Modified 


request header . Location 


request . header . Location 


request header .Max-Forwards 


request . header . Max-Forwards 


request header. Meter 


request . header . Meter 


request header. P3P 


request . header . P3P 


request header . Pragma 


request . header . Pragma 


request header . Proxy-Authenticate 


request . header . Proxy-Authenticate 


request header . Proxy-Authorization 


request . header . Proxy-Authorization 


request header . Proxy-Connection 


request . header . Proxy-Connection 


request header. Range 


request . header . Range 


request header . Referer 


request . header . Referer 


request header . Refresh 


request . header . Refresh 


request header . Retry-Af ter 


request . header . Retry-Af ter 


request header . Server 


request . header . Server 


request header . Set-Cookie 


request .header . Set-Cookie 


request header . Set-Cookie2 


request .header . Set-Cookie2 


request header. TE 


request . header . TE 


request header . Trailer 


request . header .Trailer 


request header . Transfer-Encoding 


request . header .Transfer-Encoding 


request header . Upgrade 


request . header . Upgrade 


request header . User-Agent 


request . header . User-Agent 


request header. Vary 


request . header . Vary 


request header. Via 


request . header . Via 


request header . WWW-Authenticate 


request . header . WWW-Authenticate 


request header . Warning 


request . header . Warning 


request header . X-BlueCoat-Error 


request . header . X-BlueCoat-Error 


request header . X-BlueCoat-MC-Client-Ip 


request . header . X-BlueCoat-MC-Client-Ip 


request header . X-BlueCoat-Via 


request . header . X-BlueCoat-Via 
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Table 3.11: Abandoned Substitution Tokens (Continued) 



Abandoned CPL 


Current CPL 


request header . X-Forwarded-For 


request . header . X-Forwarded-For 


response header . Accept 


response . header .Accept 


response header . Accept-Charset 


response . header .Accept-Charset 


response header . Accept-Encoding 


response . header .Accept-Encoding 


response header . Accept-Language 


response . header .Accept-Language 


response header . Accept-Ranges 


response . header .Accept-Ranges 


response header. Age 


response . header .Age 


response header. Allow 


response . header .Allow 


response header . Authentication-Info 


response . header .Authentication-Info 


response header . Authorization 


response . header .Authorization 


response header . Cache-Control 


response . header . Cache-Control 


response header . Client-IP 


response . header .Client-IP 


response header . Connection 


response . header . Connection 


response header . Content-Encoding 


response . header . Content-Encoding 


response header . Content-Language 


response . header . Content-Language 


response header . Content-Length 


response . header . Content-Length 


response header . Content-Location 


response . header . Content-Location 


response header . Content-MD5 


response . header . Content-MD5 


response header . Content-Range 


response . header . Content-Range 


response header . Content-Type 


response . header . Content-Type 


response header . Cookie 


response . header . Cookie 


response header . Cookie2 


response . header . Cookie2 


response header . If-Modif ied-Since 


response . header . If-Modif ied-Since 


response header . If-None-Match 


response . header . If-None-Match 


response header . I f-Range 


response . header . If-Range 


response header. If-Unmodif ied-Since 


response . header . If-Unmodif ied-Since 


response header . Last-Modif ied 


response . header . Last-Modif ied 


response header . Location 


response . header . Location 


response header . Max-Forwards 


response . header .Max-Forwards 


response header. Meter 


response . header .Meter 


response header. P3P 


response . header . P3P 


response header . Pragma 


response . header . Pragma 


response header . Proxy-Authenticate 


response . header . Proxy-Authenticate 


response header . Proxy-Authorization 


response . header . Proxy-Authorization 


response header . Proxy-Connection 


response . header . Proxy-Connection 


response header. Range 


response . header . Range 


response header . Referer 


response . header .Referer 


response header . Refresh 


response . header .Refresh 


response header . Retry-Af ter 


response . header . Retry-Af ter 


response header . Server 


response . header . Server 
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Table 3.11: Abandoned Substitution Tokens (Continued) 



Abandoned CPL 


Current CPL 


response header . Set-Cookie 


response . header . Set-Cookie 


response header . Set-Cookie2 


response . header . Set-Cookie2 


response header. TE 


response . header . TE 


response header . Trailer 


response . header . Trailer 


response header . Transf er-Encoding 


response . header . Transf er-Encoding 


response header . Upgrade 


response . header . Upgrade 


response header . User-Agent 


response . header .User-Agent 


response header. Vary 


response . header .Vary 


response header. Via 


response . header .Via 


response header . WWW- Authenticate 


response . header . WWW- Authenticate 


response header . Warning 


response . header .Warning 


response header . X-BlueCoat-Error 


response . header .X-BlueCoat-Error 


response header . X-BlueCoat-MC-Client-Ip 


response . header . X-BlueCoat-MC -Client- lp 


response header . X-BlueCoat-Via 


response . header .X-BlueCoat-Via 


response header . X-Forwarded-For 


response . header . X-Forwarded-For 


transaction id 


transaction . id 


url address 


url . address 


url extension 


url . extension 


url host 


url .host 


url host name 


url . hostname 


url path 


url .pathquery 


url port 


url . port 


url query 


url . query 


url scheme 


url . scheme 



Documentation References 

Appendix D, "Substitutions," in the Blue Coat Content Policy Language Guide 



Exception Pages 

A number of built-in exception pages have been added to SGOS 4.x to send information back to the 
user under operational contexts that are known to occur. New exception pages include: 

• HTML Notification 
O notify 

□ notify_missing_cookie 

• Compression 

O transformation_error 
O unsupported_encoding 

□ invalid_response 
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• ICAP 

O icap_error (should be used in place of the existing icap_communications_error exception 
page) 

On a downgrade to SGOS 3.2.4, the ProxySG reverts to using the SGOS 3.x policy that was in use the 
last time that SGOS 3.x was running. 

Documentation References 

• Chapter 15, "Advanced Policy," in the Blue Coat ProxySG Configuration and Management Gidde 

• The Blue Coat Content Policy Language Guide 



VPM 

In SGOS 4.x, VPM now uses UTF-8 encoding format for fetching and installing policy. 

UTF-8 Encoding 

As of SGOS 4.x, VPM policy (XML) stored in the ProxySG is read using the UTF-8 encoding format. 
Any international characters present in this policy must be encoded using UTF-8. Policy (XML) 
created through VPM prior to SGOS 4.x does not contain international characters and so it should 
continue to load correctly after the upgrade. 

If you created or edited the policy (XML) file outside VPM and loaded it into the ProxySG prior to 
upgrading, it might contain international characters. If these characters are not encoded in UTF-8 
format, VPM is unable to load the policy. In this case, it begins with an empty policy after displaying 
an error message. 

Important: Enable the auto-detect encoding feature on your browser so that it uses the encoding 
specified in the console URLs. The browser does not use the auto- detect encoding 
feature by default. If auto-detect encoding is not enabled, the browser ignores the 
charset header and uses the native OS language encoding for its display. 

Object Naming 

Objects that can be named by the user no longer start with (underscore character). The underscore 
character is now used internally to prevent name collisions between objects that can be named by the 
user and internally generated names. 

If obsoleted objects are upgraded, such as File/MIME Types in SGOS 2.x that get translated into 

combined condition objects, these objects are prefixed with Upgraded_. Policy compiles correctly 

even if the underscore character is not removed. However, if you want to edit these objects, you must 
remove any underscore characters from the beginning of the object name before the object setting can 
be saved successfully. 

On an upgrade, objects that cannot be named by the user are automatically updated to have the 
underscore character prefix the object name. 

Documentation Reference 

Chapter 14, "VPM," in the Blue Coat ProxySG Configuration and Management Guide 
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Securing the Serial Port 

When the secure serial port is enabled (recommended): 

Once the secure serial port is enabled: 

• The Setup Console password is required to access the Setup Console. 

• An authentication challenge (username and password) is issued to access the CLI through the 
serial port. 

Upgrade/Downgrade Behavior 

• If you are upgrading, the secure serial port functionality is unchanged by default. If you never 
secured the serial port, the secure serial port functionality is disabled. If you subsequently use the 
Setup Console, you are asked if you want to enable secure the serial port at that time. 

• On new installations, you are asked if you want to enable the secure serial port. 

• Downgrades ignore the secure serial port setting. If older systems are present on the machine, it 
might be possible for an attacker to force the downgrade and then access the serial port. For 
maximum security, older systems should be deleted. 



SmartFilter Version 4 

SGOS 4.1 uses a new database download system for SmartFilter, version 4. A license key, which was 
sent to you by Secure Computing by e-mail when you ordered the database, is required to download 
the new version. In the e-mail, this key is listed as the Serial Number and is in the alpha-numeric 
format of: SFxx-xxxx-xxxx-xxxx. 



Note: If you use SmartFilter, version 3, the user name/ password assigned to you is still valid 

(for version 3 only). 



Documentation Reference 

Chapter 18, "Content Filtering," in the Blue Coat ProxySG Configuration and Management Gnide. 



SSL Key Management 

SSL key management, in SGOS 4.x, has been modified to allow Director to better manage ProxySG 
appliances. 



Abandoned Syntax 



The following syntax is abandoned as of SGOS 4.x, replaced by the equivalent inline commands. 



SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 
SGOS# (config 



ssl) import 
ssl) import 
ssl) import 
ssl) import 
ssl) import 



keyring show|no-show keyring id 
certificate keyring id 
signing-request keyring id 
ca-certif icate keyring_id 
external-certificate keyring id 
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Documentation References 

Chapter 7, "Using Secure Services," in the Blue Coat ProxySG Configuration and Management Guide 

Chapter 21, "Maintenance," in the Blue Coat ProxySG Configuration and Management Guide 

Appendix F, "Using Director to Manage Appliances," in the Blue Coat ProxySG Configuration and 
Management Guide. 



SurfControl 

SGOS 4.1.3 uses a new database download system for SurfControl. A license key is no longer required 
to download the database; instead, you must configure a username/password (provided by Blue 
Coat). 



Important: If you are an existing SurfControl user, you must do a full download of the new 

SurfControl database before any content filtering can be done. Until such time, all URLs 
are categorized as unavailable. 



Upgrade/Downgrade Behavior 

• On upgrade, the SurfControl download URL is changed and any existing username and 
password values are erased. Until a new database is downloaded, SurfControl filtering is 
unavailable. 

• On downgrade, SurfControl filtering cannot be used until an md5-based database is downloaded. 
To download an md5-based database, you must re-establish the download URL value by using 
the Set to Default button in the Management Console. The license string remains intact and does 
not need to be re-entered. 

Documentation Reference 

Chapter 18, "Content Filtering," in the Blue Coat ProxySG Configuration and Management Guide. 
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